Synology: Creating Encrypted Folders

Now that you know a little more about encrypted folders, I would like to walk through the 2-step process on how to create them. Read on to learn more!

Create an Encrypted Folder

Creating an encrypted folder follows a similar process to creating a new folder. Assuming you already have a volume with free space available, open File Station and select the option to create a Folder or Shared Folder: Control Panel > Shared Folder > Create. Go through the process of giving the folder a name and selecting the options you desire — for maximum security I suggest selecting all of the options. The last option is a checkbox to enable encryption. Be sure to select it. You will be prompted for an encryption key, which is a passphrase. This passphrase should be very secure as it is your way of getting access to the contents within the folder. For maximum security, I do no suggest selecting the option to mount the share on startup, but note without this option manual steps will be necessary to mount the share after a system restart (e.g. system upgrade). Finally, select OK.
You will be prompted with some notes covered in my previous post. Select Yes.
A key file will be downloaded to your system — more on this in the next section. You now can change things such as user permissions and advanced settings. For maximum security, I suggest restricting access and settings as much as possible. Leverage the “No Access” permission for all applicable users. Depending on the services you are using and the use-case for the encrypted share, consider disabling the options under the Advanced > Advanced Settings section. When done select OK. At this point you will see a new shared folder with an unlocked symbol next to it telling you the share is encrypted, but currently unlocked.

Save the Encryption Key

As the encrypted folder is being created, a key will be downloaded. You should save this key in a secure location that IS NOT within the encrypted folder being created. You will need this key should you forget your passphrase. If you forget your passphrase and lose your key then you will not be able to mount your encrypted share.
The above information might seem like a “duh”, but I cannot stress it enough primarily because the question becomes where to store this key. While everyone’s answer to this question may be different, be sure to spend some time considering it. Possible options include:

An offline storage device such as a USB key

In physical form (i.e. print it out) in a safe of some sort

Saving the key on the Synology device it was created on whether in the encrypted folder or not would not be recommended. In addition, saving on a public cloud facing storage solution would offer another attack vector on your data.

Summary

As you can see, creating an encrypted folder on Synology is simple, especially if you know the specifications of the feature beforehand. The most important thing in my opinion is ensuring the downloaded encryption key is stored in a safe location.